Restrict Apache to only allow access using SSL for some directories

Question

I have an Apache 2.2 server with an SSL certificate hosting several services that should be only access using SSL.

ie: https://myserver.com/topsecret/ should be allowed while http://myserver.com/topsecret/ should be either denied or, ideally, redirected to https. http://myserver.com/public should not have this restriction, and should work using either http or https.
The decision to allow/deny http is made at the top level directory, and affects all content underneath it.

Is there a directive that can be placed in the Apache config to retrict access in this manner?

Answer 1

Assuming you are using VirtualHost directives,

Place a Directory directive in the non-ssl virtualhost denying access.

Then, place a Directory directive in the ssl virtualhost granting access.

Answer 2

I've always done this mod_rewrite in an .htaccess file, though you should be able to do it within your main config file as well.

Here's a guide with a few ways of making this happen: Smart HTTP and HTTPS RewriteRule Redirects

Answer 3

The SSLRequireSSL directive is what you're looking for.

Answer 4

<IfModule mod_rewrite.c>
   RewriteEngine On
   RewriteCond %{SERVER_PORT} !443$
   RewriteRule ^/topsecret/(.*)$ https://myserver/topsecret/$1 [R,L]
</IfModule>

Answer 5

Alternatively, you could use the server-side language to do the processing for you, rather than using Apache's configuration options (if, perhaps, you don't have access to the server's configuration).

For example, with PHP:

if (!isset($_SERVER['HTTPS'])) {
  // put your redirect here
  header('Location: http://myserver.com/public');
}

(though just be aware - if you're using ISAPI on Microsoft IIS, if the request is not being routed through HTTPS, then the value of the $_SERVER['HTTPS'] variable will be "off")

Answer 6

maybe even:if($_SERVER['SERVER_PORT'] != 443){ header('Location:http://publicdomain.com'); }